ClawHub

YieldVault Agent

Security checks across malware telemetry and agentic risk

Overview

This skill matches its yield-farming purpose, but it can autonomously sign blockchain transactions with a raw private key and ships testnet/stub contract code with mixed production-readiness messaging.

Install only for testnet or local evaluation unless you fully understand the financial risk. Do not use a wallet with real funds, do not use the stub YieldVault contract in production, and require hardware-wallet/KMS signing, audited contracts, explicit transaction limits, and human approval before any mainnet deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation indicates use of environment variables for sensitive capabilities such as wallet keys, RPC endpoints, and Telegram credentials, but no corresponding permissions are declared. This creates a transparency and governance gap: operators may install or run a skill with access to secrets and privileged execution paths they were not explicitly warned about. In the context of an autonomous on-chain agent, undeclared env access is more dangerous because those secrets can directly enable blockchain transaction signing and outbound data transmission.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated description underrepresents materially sensitive behaviors: outbound Telegram messaging, contract deployment/management, local log persistence, and especially use of a private key to sign and broadcast live blockchain transactions. This mismatch can mislead users about the true operational and security footprint of the skill, causing them to grant trust or run it in environments where secret exposure, unintended fund movement, or data leakage become possible. Because this is an autonomous yield farming agent, hidden or under-disclosed transaction execution is particularly risky: the core context involves direct control over financial assets on-chain.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The REBALANCE example contains an internal inconsistency: the ranking lists BNB-BUSD at 37.5% and LINK at 35.0%, yet the narrative says LINK is the best vault and recommends moving funds based on that premise. In an autonomous yield-farming agent, contradictory examples can mislead implementers, operators, or downstream prompt consumers into executing suboptimal or unintended portfolio moves, weakening trust in deterministic decision logic.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README scopes the contract to BNB Testnet and explicitly calls it a stub, while the skill metadata presents an autonomous yield farming agent for BNB Chain more generally. That mismatch can cause operators or downstream agents to treat a non-production implementation as suitable for real deployments, increasing the chance of unsafe fund handling or incorrect network targeting.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document says the contract is 'Ready for Deployment' and later also says it is a stub, not audited, with no reentrancy guards and limited access control. In a yield-farming context, contradictory readiness claims can mislead users into deploying or integrating insecure code with real assets, turning documentation ambiguity into a concrete operational security risk.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The `compound()` function mints new shares and increases `totalAssets` based on a calculated yield without receiving any tokens, effectively creating unbacked assets and shares out of thin air. An attacker can call compound repeatedly to inflate their share balance, then withdraw against real vault funds deposited by others, leading to insolvency and theft of underlying assets.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The `compound()` function mints new shares and increases `totalAssets` based on a calculated yield without receiving any tokens, effectively creating unbacked assets and shares out of thin air. An attacker can call compound repeatedly to inflate their share balance, then withdraw against real vault funds deposited by others, leading to insolvency and theft of underlying assets.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Ownership transfer creates a powerful governance path that can redirect full administrative control to another address, including one controlled by an attacker or a single opaque operator. In a product described as an autonomous yield farming agent, this hidden trust dependency materially increases rug-pull, censorship, and parameter-manipulation risk for depositors.

Context-Inappropriate Capability

Medium
Confidence
74% confidence
Finding
Pause and unpause let a privileged actor unilaterally halt core vault operations, which introduces censorship and availability risk inconsistent with a deterministic autonomous agent. While emergency stops can be protective, they also create a central control point that users must trust and that could be abused or compromised.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
A mutable fee parameter gives the owner economic control over user returns and can be abused to extract value after deposits are made. Even with an apparent cap in bytecode, changing fees post-deposit creates trust risk and can materially harm users if governance is compromised or acts opportunistically.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script presents itself as a deployment tool, creates wallet/public clients, checks balances, prints deployment progress, and writes a deployments report, but never actually submits contract creation transactions. In an autonomous yield-farming context, this can mislead operators or downstream automation into believing vaults were deployed and verified when they were not, causing unsafe operational decisions, misconfiguration, or funds being directed to nonexistent infrastructure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal